Vault 7: Plans to expose firms that do not patch flaws

Some organisations such as the Mozilla Foundation have received information from WikiLeaks to tend to vulnerabilities in their products which were recorded in the CIA document dump known as Vault 7 that was made a fortnight ago.

WikiLeaks publisher Julian Assange said, apart from confirming that the offer had been made, Google and some other companies had yet to respond.

Assange held a press conference overnight on 10 March to offer to share unpublished data from Vault 7 with technology companies to enable them to fix vulnerabilities detailed therein.

During that conference, he also said that once the remaining material — which he said was a very large amount — had been vetted and critical details redacted, it would be released to the public.

In a statement issued on Friday, Assange said the companies who had been contacted had not agreed, disagreed or questioned what he termed as WikiLeaks' standard industry disclosure plan.

The standard disclosure time for a vulnerability is 90 days after the person/company responsible for patching the software is given full details of the vulnerability.

Assange said most of the companies who were lagging behind in agreeing to the disclosure plan and receiving information about vulnerabilities from WikiLeaks, "have conflicts of interest due to their classified work for US government agencies".

Many multinational technology companies in the US have big contracts with government agencies and departments. For example, Microsoft recently cut a deal with the Pentagon for Windows 10 installations.

Linux companies are also part of this mix: Red Hat Linux has contracts for its enterprise Linux with the NSA which runs some of its spying software on the platform.

Even newspaper companies have ties of this nature: the owner of the Washington Post, Jeff Bezos, who is better known as the boss of Amazon, has a US$600 million to supply cloud services to the CIA.

Assange said, in practice, associations such as these limited tech industry staff from fixing security holes based on information that had been leaked from the CIA.

"Should such companies choose to not secure their users against CIA or NSA attacks, users may prefer organisations such as Mozilla or European companies that prioritise their users over government contracts," he said.

"Should these companies continue to drag their feet, we will create a league table comparing responsiveness and government entanglements so users can decide for themselves."

Cisco on Friday announced that 318 of its router models were at risk of a remote attack through a vulnerability detailed in the Vault 7 documents.

CDAO SYDNEY TURNS 5 IN 2019

With 50+ Speakers, 300+ senior data and analytics executives, over 3 exciting days you will indulge in all things data and analytics before leaving with strategic takeaways that will catapult you ahead on your journey

LEARN HOW TO REDUCE YOUR RISK OF A CYBER ATTACK

As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has the high potential to be exposed to risk.

It only takes one awry email to expose an accounts’ payable process, and for cyber attackers to cost a business thousands of dollars.

In the free white paper ‘6 Steps to Improve your Business Cyber Security’ you’ll learn some simple steps you should be taking to prevent devastating and malicious cyber attacks from destroying your business.

Cyber security can no longer be ignored, in this white paper you’ll learn:

· How does business security get breached?
· What can it cost to get it wrong?
· 6 actionable tips

Sam Varghese has been writing for iTWire since 2006, a year after the sitecame into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.